Security Group Risky Ports Check with Protocol
ID: rule:aliyun:ecs-security-group-risky-ports-check-with-protocol
Severity: high
Description
When security group ingress source is set to 0.0.0.0/0, the port range should not include risky ports (22, 3389) for specified protocols (TCP/UDP), to reduce the risk of brute force attacks.
Reason for Violation
The security group allows access to risky ports (SSH:22, RDP:3389) from all sources (0.0.0.0/0), which increases the risk of brute force password attacks.
Recommendation
Restrict access to ports 22 (SSH) and 3389 (RDP) by limiting the source CIDR to specific trusted IP ranges instead of 0.0.0.0/0.
Resource Types
ALIYUN::ECS::SecurityGroupALIYUN::ECS::SecurityGroupIngressALIYUN::ECS::SecurityGroupIngresses